Digital Signatures and Encryption in Yosemite Mail

10.10.2 appears to still exhibit the same behavior (which from my reckoning is new behavior as of Yosemite), i.e. When I attempt to send a signed message via my home network, Mail signs and sends message appropriately. When I log onto my work VPN, no joy with the "Unable to sign message" error, per:

Since this only shows up when connected to the VPN, I suspected an OCSP issue, but it seems like this traffic is proceeding unimpeded, per:

[01.28 10:56:44] ocspd (root) - crl.comodoca.com:80 open through proxy proxy.company.com:80 HTTPS

[01.28 10:56:49] ocspd (root) - crl.comodoca.com:80 close, 206 bytes sent, 438536 bytes (428 KB) received, lifetime 00:05

As others have mentioned, if I get the above error message (with the email message now in the outbox), quit Mail and then restart Mail, then the message does get signed with my certificate and successfully sent (with ocspd messages, so it looks like the checks don't occur on startup for messages already in the Outbox...)

Am hoping perhaps that someone is looking into what might be causing the regression in signing functionality.

I see an improvement with 10.10.2.

I see the some problem described by jamesborr for some email recipients. However, if I quit Mail.app and return to the problem message that is saved in my Drafts folder, I am able to correctly sign and encrypt. It's as if the previous problem is cached somehow, and this procedure clears out the issue. It appears that I am back to being able to use Maill.app for S/MIME.

While it is true that one can use S/MIME, it does require that one be prepared to create a message, quit Mail, restart Mail and then send -- for EACH S/MIME message one wants to send. It should also be noted that this behavior is new with Yosemite (i.e. the above "jumping through hoops/clown car" method was not required for Mail in 10.9, 10.8, 10.7...)

Yes it's an ongoing bug -- please report it to https://bugreport.apple.com/.

Mine is bug 19647210.

I just experienced this issue after upgrading to 10.10.2. Previously, I had no issues under both 10.10 or 10.10.1.

I had the same symptoms described here, but found that if I replied to emails, I could both sign and encrypt without issues. But if I tried to start a new email, I would get the "You don’t have a trusted certificate in your keychain that matches the email address" error.

After a lot of trial and error, I finally found out what was causing the problem...

My email provider provides access to my address book via LDAP, and I had Contacts.app configured to access it. Once I disabled the LDAP connection, and restarted Mail.app, the problems went away. Re-enabling the LDAP connection breaks things again.

Hope this helps someone.

I confirm that the workaround described by cuda74360 works for me. What I did:

Contacts>Preferences...>Accounts> Uncheck "Enable this account" for the LDAP account

This leaves two big bugs for Mail.app + Contacts.app on the enterprise:

1. No LDAP support for addresses -- this is a pretty big hole.

2. Whenever I compose a signed+encrypted email, my Mail.app becomes a huge cpu hog for many tens of seconds, and it takes forever to get the signed+encrypted boxes on emails. This has been a problem since before Mavericks, and still not fixed in Yosemite. It appears to be related to having a large number of other's S/MIME certificates in your login Keychain. Does anyone know how to fix the Mail.app cpu hog problem for enterprise mail?

I will also confirm that disabling my LDAP account in Contacts also resolves my S/MIME issues...

Hello everyone,

I've been experiencing the exact same problem since Yosemite. Just updated to 10.10.2 only to find that unfortunately the problem was not solved.

However, I can confirm that disabling the LDAP account in Address Book as suggested by cuda74360 successfully solved the problem for me.

Thank you!

Best

Tobias

Thanks cuda74360,

Turning off LDAP worked for me too. It appeared that the computer at home did not have a LDAP setting but a CardDAV account, to the same server. That explains why it worked at home (on a different Mac) but not at work. Same is true for iOS devices.

I guess Apple reads this thread and I hope this will be fixed in 10.10.3.

I have tried finding the way to save the attachment as eml file and failed.

You describe:

Mail.app>File>Save As...> Save the smime.p7m message as a .eml file.

so either this means I shall select the e-mail then select File>save as ...

which allows me to save as plain text, rtf or raw message source.

I tried raw message source

then I get on executing:

$ openssl smime -decrypt -in ~/Downloads/test.eml -inkey christianGridka.key.pem

then I got lots of gibberish and in between:

Error decrypting PKCS#7 structure

21137:error:06065064:digital envelope routines:EVP_DecryptFinal_ex:bad decrypt:/SourceCache/OpenSSL098/OpenSSL098-52.20.2/src/crypto/evp/evp_enc.c:330 :

tried just plain text

$ openssl smime -decrypt -in ~/Downloads/test.rtfd -inkey christianGridka.key.pem

Error reading S/MIME message

21407:error:0D0D20CC:asn1 encoding routines:SMIME_read_ASN1:no content type:/SourceCache/OpenSSL098/OpenSSL098-52.20.2/src/crypto/asn1/asn_mime.c:379:

OR

I select the smime.p7m file and select on right click on the file:

Save Attachment ...

then I will get:

$ openssl smime -decrypt -in ~/Downloads/smime.eml -inkey christianGridka.key.pem

Error reading S/MIME message

21241:error:0D0D20CC:asn1 encoding routines:SMIME_read_ASN1:no content type:/SourceCache/OpenSSL098/OpenSSL098-52.20.2/src/crypto/asn1/asn_mime.c:379:

So unfortunately none of this worked for me. Please help, if you can.

I'm experiencing this exact same problem. I seem to be able to encrypt just fine with no or very small attachments. However, once the attachment is even 2MB in size, my email sits in Drafts and never gets sent. Then my system disk also gets full, forcing me to restart. I have also noticed that for emails that are successfully sent and appear in the Sent folder, I get the banner warning "Unable to verify message signature," which if I click says that my ECA certificate isn't valid. Above the window displaying the certificate appears the checkbox "Messages from FLast@company.com" are valid if signed by "First Last", which is odd since my email address is strictly lowercase everywhere I can check, including in the ECA certificate. I'm not sure where Mail is getting or how Mail is creating this mixed case form of my email address. Totally frustrating!

I have similar problems still in 10.10.5 (14F27).

Can not encrypt to new recepients although eMail is valid in Cert and also shown as verified in Addressbook.

To "old" contacts encryption works although i had problems with CPU consumption and not sending out, when using larger attachments.

I had two own certs enabled in my key chain, after disabling one of them at least the CPU bug went away although this was no issue in Mavericks.

My Bug is 22444170

I have similar problems still in 10.10.5 (14F1021) with Mail 8.2 (2104)

So far, I just have the need to see signed email that I receive, because I haven't a certificate for myself.

When I received a cryptographically signed email with Mail, I don't have the "signed" icon on the email.

If I search for old emails, received using 10.8 before the upgrade to 10.10, I do see the signed checkmark on these emails.

My Bug is 23541500